• Access control
  • Metadata
  • Automate access control management for access
  • Grant, modify, and terminate user access
  • Secret authentication information
  • Logging in and out
  • Restrict use of admin utilities
  • Review access grants regularly
  • Unique user IDs
  • Enforcement
  • References
• Asset management
  • Metadata
  • Maintain an asset inventory
  • Use company-owned assets
  • Acceptable Use for employees
  • Return organizational assets upon
  • Manage the installation of software
  • Enforcement
  • References
• Awareness, training, and reminders
  • Metadata
  • Foster awareness of compliance
  • Notify users of their responsibilities
  • Provide compliance training that is clear and complete
  • Run simulated tabletop information security incident training
  • Third-party resources
  • Enforcement
  • References
• Backup
  • Metadata
  • Create and maintain integrous backups
  • Automatically create point-in-time backups
  • Automatically validate backup management
  • Restrict access to backups
  • Enforcement
  • References
• Compliance
  • Metadata
  • Comply with the appropriate regional regulations
  • Comply with contractual requirements
  • Who is accountable and responsible
  • Handle investigations, complaints and rights
  • HIPAA and state law preemption in the United States
  • Enforcement
  • References
• Continuity
  • Metadata
  • Ensure continuity of operational systems during adverse situations
  • Ensure continuity of employee operations during adverse situations
  • Activate Emergency Mode
  • Treat systems in order of criticality
  • Train, test and revise continuity plans
  • Enforcement
  • References
• Cryptography
  • Metadata
  • Use the best reasonably available cipher strength and key length
  • Use current standard open-source and vendor cryptographic methods and implementations
  • Encrypt all data at rest
  • Encrypt all data in transit
  • Manage cryptographic keys
  • Use certificates to authenticate keys
  • Legal compliance
  • Enforcement
  • References
• Definitions
  • Metadata
  • Applicability
  • BA
  • Backup System
  • Breach
  • Cloud Provider
  • Customer
  • EHRi
  • Employee
  • HIPAA
  • ISMP
  • Maturity level (in _metadata)
  • Media
  • Mobile devices
  • Operational systems
  • Password
  • PCI DSS
  • PHI
  • PII
  • PoS
  • Secret Key
  • Server
  • SLA
  • Telework
  • Unsecured protected health information
  • Vendor
  • Employees
  • References
• Disciplinary process
  • Metadata
  • Appropriate, fair and consistent sanctions can
  • Apply appropriate sanctions
  • Determine sanction severity based on the following factors
  • Apply sanctions in increasing order of severity
  • Do not apply sanctions
  • Immediate termination is justified for
  • Incidents involving customers or suppliers
  • Enforcement
  • References
• Documentation
  • Metadata
  • Policies and procedures
  • Documentation
  • Retain compliance documentation
  • Enforcement
  • References
• Human resource security
  • Metadata
  • Screen employees prior to hiring
  • Workforce contracts
  • Authorize minimum necessary access to PHI
  • Terminate employee authorization
  • Upon termination, require return of all physical assets
  • Enforcement
  • References
• Information classification
  • Metadata
  • Document customer criticality
  • Enforcement
  • References
• Information privacy
  • Metadata
  • General
  • We do not directly collect, use or disclose PHI
  • Access customer content only to maintain or provide our services
  • Safeguard privacy
  • Publish a Privacy Notice
  • Inquiries, complaints, and disputes from data subjects
  • Implement an Information Privacy Program
  • Verify compliance
  • Enforcement
  • References
• Information security
  • Metadata
  • Guide ourselves using an Information Security Management Program based on ISO/IEC 27002:2013
  • Meet our responsibilities for protecting data
  • Protect and secure all of our information system assets
  • Align the ISMP with our goals and processes
  • Continuously improve our policies
  • Verify compliance to this policy
  • Report problems
  • Exceptions
  • Enforcement
  • Non-compliance
  • References
• Information security incidents
  • Metadata
  • Use automated systems to detect, log, and alert on suspicious activity
  • Immediately respond upon detection
  • Notify the appropriate parties when any breach of PII or PHI occurs
  • Analyse and document
  • Require notifications from suppliers
  • Report weaknesses
  • Enforcement
  • References
• Information transfer
  • Metadata
  • Document information transfer security in agreements
  • Cryptographically secure and sign communications
  • Document non-disclosure requirements in agreements
  • Enforcement
  • References
• Logging and monitoring
  • Metadata
  • Log events automatically on all operational systems
  • Log service activity on all systems that handle PHI
  • Protect the logs
  • Retain logs until whichever comes first
  • Synchronize the clocks of servers
  • Enforcement
  • References
• Malware protection
  • Metadata
  • Do not require server-level malware protection on Linux servers
  • Run malware protection on workstations
  • When malware is detected
  • Enforcement
  • References
• Media handling
  • Metadata
  • Erase or destroy media containing PHI prior to disposal or re-use to prevent data from being recovered
  • Don't put sensitive data on removable media
  • Enforcement
  • References
• Mobile devices and teleworking
  • Metadata
  • Be secure while teleworking
  • Mobile devices
  • Enforcement
  • References
• Network security management
  • Metadata
  • Manage and control networks
  • Segregate the networks of each each customer using virtual networks
  • Use firewalls on all virtual networks and servers
  • Enforcement
  • References
• Risk management
  • Metadata
  • Perform risk management
  • Maintain a continuous cadence of risk management assessments and tests
  • Acquire and maintain independent certifications
  • Acquire and maintain independent risk assessments
  • Acquire and maintain independent security tests
  • Perform internal reviews and assessments of information security risk
  • Distribute the results of reviews to
  • Manage and treat risk
  • Enforcement
  • References
• Secure areas
  • Metadata
  • Delegate the physical security of all operational systems, facilities, and equipment to major cloud providers
  • Delegate the physical management and ownership of all operational systems, facilities, and equipment to major cloud providers
  • Enforcement
  • References
• Software development and operations
  • Metadata
  • Applicability
  • To conduct software development and operations
  • Implement all operations activities as software development
  • Make security a key part of software development and operations
  • Control changes to software and systems
  • Operate reliable systems with appropriate redundancy and availability
  • Perform testing of software
  • Have PHI only on production systems
  • Do not outsource software development and operations
  • Respect Intellectual Property Rights and licenses
  • Enforcement
  • References
• Suppliers
  • Metadata
  • Ensure suppliers and vendors have appropriate safeguards
  • Document security mechanisms, SLAs and management information in agreements
  • Business Associate suppliers
  • Enforcement
  • References
• Workstation
  • Metadata
  • Automatically manage workstation computers using Mobile Device Management (MDM) software
  • Protect information from unauthorized view
  • Enforcement
  • References

Access control

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2022-08-31
  • reviewed: 2022-08-31
• Applicability: standard

Automate access control management for access

• by us, to
  • PHI
  • servers, programs, processes, networks, etc.
  • administrative functions
  • facilities (where possible)
  • equipment (where possible)
• by customers
  • Limitations on our management of customer systems
    • Administrative access for customers means access to administrative functions on the systems we operate for them.
    • We only manage customer administrative access and no other type of access related to the customer.
    • For example, we do not manage, monitor, access, or otherwise involve ourselves in any other access to customer apps, database schemas or data, files, cache data, point of services, electronic health record systems, or any other customer systems or data.
  • Customer administrative authorization and access
    • Provide customers with a secure method to establish, modify and terminate authorization for access.

Code	Section	Title
ISO	A.9.4.1	Information access restriction
ISO	A.9.2.4	Management of secret authentication information of users
HIPAA	164.308(a)(4)(ii)(C)	Access establishment and modification (Addressable)

Grant, modify, and terminate user access

• Grant access
  • in sync with authorization grants
  • no more than necessary to implement the authorization
• Modify access control grants
  • when authorization changes.
• Terminate access
  • immediately when authorization terminates
  • independently of the technology used for access
• Review access
  • immediately when a user’s role or authorization changes
  • quarterly for all users
• Use the principle of least privilege
  • Run customer applications on low-privilege accounts with restricted system access.

Code	Section	Title
ISO	A.9.1.2	Access to networks and network services
ISO	A.9.2.1	User registration and de-registration
ISO	A.9.2.2	User access provisioning
ISO	A.9.2.3	Management of privileged access rights
ISO	A.9.2.6	Removal or adjustment of access rights
CHI	SR60	Timely Revocation of Access Privileges
HIPAA	164.308(a)(4)(ii)(B)	Access authorization (Addressable)

Secret authentication information

• Create strong passphrases (passwords)
  • The user creates their own passphrase, subject to the minimum standards by the service (such as Google Suite).
  • Encourage users to use password management tools and generate random passphrases.
• Evaluate passphrase strength using entropy
  • Minimum lengths and requirements to use certain types of characters do not reliably increase the difficulty of guessing a passphrase.
  • Minimum recommended entropy for interactive login systems is 40 bits.
• Generate strong secret keys
  • The user creates their own key using an authorized key-generation tool (such as OpenSSH).
  • A key is generated for the user and provided to them through a secure encrypted channel (such as customer credentials).
  • The key strength for SSH keys is at least 2048-bits.
  • Document the allocation and transfer to users.
• Do not require scheduled passphrase rotation
  • Password rotation introduces weaknesses such as password hashing vulnerabilities and the use of easily guessable passwords.
• Rotate secret authentication information as required
  • Change affected secrets in the event of an information security compromise.
• Storage of passwords in writing
  • Important passwords may be stored in writing on paper.
  • The paper copy must be kept out of sight (such as in a drawer).

Code	Section	Title
ISO	A.9.3.1	Use of secret authentication information
ISO	A.9.4.3	Password management system
HIPAA	164.308(a)(5)(ii)(D)	Password management (Addressable)

Logging in and out

• Require authentication with a username and a strong passphrase (or secret key) on all systems.
  • Require two-factor authentication
    • For access to the MedStack Dashboard
    • For access to vendor systems, where feasible
  • Automatic logoff
    • Enable in vendor services where available.
    • Enable on workstations where available.
    • Do not enable in situations where it would have no effect because login is automated (such as SSH).

Code	Section	Title
ISO	A.9.4.2	Secure log-on procedures
HIPAA	164.312(a)(2)(iii)	Automatic logoff (Addressable)
HIPAA	164.312(d)	Standard: Person or entity authentication
SOC2	CC6.1	The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
SOC2	CC6.1	The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
SOC2	CC6.6	The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

Restrict use of admin utilities

Code	Section	Title
ISO	A.9.4.4	Use of privileged utility programs
CHI	SR68	Controlling Access to EHRi System Utilities

Review access grants regularly

Code	Section	Title
ISO	A.9.2.5	Review of user access rights
CHI	SR56	Reviewing User Registration Details
SOC2	CC6.2	Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

Unique user IDs

• Exclusively use unique user IDs for information system access and activities where possible.
• Do not require UUIDs where it would make it impossible to automate key tasks (for example, API keys for access between CI/CD systems).

Code	Section	Title
HIPAA	164.312(a)(2)(i)	Unique user identification (Required)

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.9	Access control
ISO	A.9.1	Business requirements for access control
ISO	A.9.1.1	Access control policy
ISO	A.9.2	User access management
ISO	A.9.3	User responsibilities
ISO	A.9.4	System and application access control
HIPAA	164.308(a)(4)(i)	Standard: Information access management
HIPAA	164.308(a)(4)(ii)(A)	Isolating health care clearinghouse functions (Required)
HIPAA	164.312(a)	Standard: Access control
SOC2	CC6.1	The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
SOC2	CC6.1	The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.

Asset management

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-06-18
  • reviewed: 2022-08-31
• Applicability: standard

Maintain an asset inventory

• Automatically identify all assets
  • Use automated tools to detect assets and to maintain and update the asset inventory.
  • Link each asset to an internal or customer owner and responsible party.

Code	Section	Title
ISO	A.8.1.1	Inventory of assets
SOC2	CC6.1	The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.

Use company-owned assets

• The company must own all production systems and employee workstations.

Code	Section	Title
ISO	A.8.1.2	Ownership of assets

Acceptable Use for employees

• Assets may only be used as defined in these policies.
• Access PHI only in aggregate form as needed to fulfill work duties.
• Do not read individual PHI records.

Code	Section	Title
ISO	A.8.1.3	Acceptable use of assets

Return organizational assets upon

• termination of employee
• change of role, where employee no longer requires assets

Code	Section	Title
ISO	A.8.1.4	Return of assets

Manage the installation of software

• Production systems
  • Install software programmatically and manage what software is installed in source control.
• Workstations and mobile devices
  • Install software only from trusted sources.

Code	Section	Title
ISO	A.12.6.2	Restrictions on software installation
SOC2	CC6.8	The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.8.1	Responsibility for assets
CHI	SR8	Responsibility for information assets

Awareness, training, and reminders

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-06-18
  • reviewed: 2022-08-31
• Applicability: standard

Foster awareness of compliance

• Provide security reminders based on compliance training materials.
• Attend privacy and security conferences.
• Maintain awareness of new and evolving security threats.

Code	Section	Title
ISO	A.6.1.4	Contact with special interest groups
HIPAA	164.308(a)(5)(ii)(A)	Security reminders (Addressable)

Notify users of their responsibilities

• to protect their credentials (passwords)
• to apply information security in accordance with our policies

Code	Section	Title
ISO	A.7.2.1	Management responsibilities

Provide compliance training that is clear and complete

• To
  • all employees
• When
  • during the new employee orientation period
  • before access is permitted to production systems
  • annually
• Train on
  • what is compliance and what compliance frameworks we follow
  • third party regulations on health data privacy and security
  • our internal information privacy and security policies and procedures
  • the duties and responsibilities of specific individuals, workgroups, departments, and divisions
  • security basics such as password management, malware protection, social engineering and phishing
• Maintain training records
  • including the training done and when it was done

Code	Section	Title
ISO	A.7.2.2	Information security awareness, education and training
CHI	SR15	Training users and raising security awareness
SOC2	CC1.1	Establishes Standards of Conduct
SOC2	CC1.4	COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

Run simulated tabletop information security incident training

• annually or when the threat environment changes significantly
• for employees with operational PHI access

Third-party resources

• Use recognized independent third-party resources where possible.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.7.2	During employment
HIPAA	164.308(a)(5)(i)	Standard: Security awareness and training
SOC2	CC1.4	COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC1.4	COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

Backup

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-11-23
  • reviewed: 2022-08-31

Create and maintain integrous backups

• Why
  • Protect data against accidental or malicious deletion and media and access failure.
  • Provide a basis for restoration in case of system failure.
• Make complete, exact copies
  • Dump entire database servers using official tools.
  • Encrypt and sign backup archives.
  • Restrict the ability to modify backup files (for example, use write-only access for servers creating backups).
• Maintain confidentiality in backups
  • Restrict access to backup files to superadmins and customer administrators.
  • Ensure that temporary files are on encrypted drives.
• Maximize availability, durability and retrievabilty
  • Protect backups against media failure, power spikes or outages, fire, flood, or other natural disaster, viruses, hackers, and improper acts by employees and others.
  • Store backups in a separate physical environment to mitigate loss of an environment.
  • Make redundant copies of backups to mitigate the loss of physical media.

Automatically create point-in-time backups

• For virtual machines
  • hourly (expires after one day)
  • daily (expires after one week)
  • weekly (expires after 4 weeks)
  • monthly (never expires)
  • After a backup expires, permanently delete it.
• For managed databases
  • based on the schedule and retention time provided by the cloud service provider

Automatically validate backup management

• Monitor the backup lifecycle automatically.
• Test backup restoration.
• Log all backup activity.

Restrict access to backups

• Our employees
  • superadmins
• Customers
  • The customer is responsible for restricting the access of their personnel and systems to the backups and keys.

Enforcement

• Responsible party: All information technology managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.12.3	Backup
ISO	A.12.3.1	Information backup
CHI	SR29	Securely Backing Up Data
HIPAA	164.308(a)(7)(ii)(A)	Data backup plan (Required)
HIPAA	164.308(a)(7)(ii)(B)	Disaster recovery plan (Required)
HIPAA	164.310(d)(2)(iv)	Data backup and storage (Addressable)
HIPAA	164.312(c)(1)	Standard: Integrity
HIPAA	164.312(c)(2)	Implementation specification: Mechanism to authenticate electronic protected health information (Addressable)
SOC2	A1.2	The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.
SOC2	A1.2	The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.
SOC2	A1.3	The entity tests recovery plan procedures supporting system recovery to meet its objectives.
SOC2	PI1.5	The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives.

Compliance

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-06-18
  • reviewed: 2022-08-31

Comply with the appropriate regional regulations

• Comply with HIPAA for resources and PHI in the United States of America.
• Comply with PHIPA and other provincial regulations for resources and PHI in Canada.
• Comply with GDPR for resources in the European Union.
• Comply with other regional laws as appropraite.
• Identify all relevant legislative statutory and regulatory requirements.

Code	Section	Title
HIPAA	45 CFR Part 160, Subpart B (§§ 160.201 - 160.205)	Preemption of State Law

Comply with contractual requirements

• Identify all relevant contractual requirements.

Who is accountable and responsible

• The Board of Directors will
  • Ensure that we are in compliance with applicable laws, regulations and rules and with these policies.
• The CEO will
  • Review and approve these policies and implementation.
• The CTO is the Chief Privacy and Security Officer (CPSO) and will
  • Implement and manage the the Information Privacy Program and the Information Security Management Program (ISMP).
  • Establish, review and approve of these policies.
  • Oversee and be responsible for the implementation for these policies.
  • Maintain up to date knowledge of compliance technology and laws, rules and regulations, and keep the policies up to date.
  • Be the designated HIPAA officer.
  • Serve as liaison to government agencies, industry groups and privacy activists in all matters relating to our privacy practices.
• All management in all departments will
  • Integrate compliance into their projects based on these policies.
  • Demonstrate leadership and commitment to compliance.
• All employees and contractors will
  • Understand and follow all of these policies.
  • Safeguard the privacy and confidentiality of PHI.
  • Work together to prevent, detect and respond to security and privacy incidents.
  • Protect passwords and authentication devices.

Code	Section	Title
HIPAA	164.308(a)(2)	Standard: Assigned security responsibility
SOC2	CC1.1	COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.
SOC2	CC1.2	COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
SOC2	CC1.3	COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
SOC2	CC5.3	COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.

Handle investigations, complaints and rights

• In case of an investigation by a legal authority
  • immediately notify all Responsible Officers, executive management and legal counsel
  • verify the identify and legal authority of the investigators
  • do not impede, obstruct, or mislead investigators
  • under the direction of management, cooperate with the investigators and provide all documentation or assistance required by law
• Establish procedures for individuals to complain about our compliance with our privacy policies and procedures and the Privacy Rule.
• Do not retaliate against a person for exercising rights provided by law, for assisting in an investigation by appropriate authorities, or for opposing an act or practice that the person believes in good faith violates any standard or requirement.

HIPAA and state law preemption in the United States

• Follow HIPAA over state law in general, as HIPAA preempts state laws regarding PHI, unless the state law provides stronger protections.
• Conflicts between HIPAA and state law do not generally affect us.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.18.1	Compliance with legal and contractual requirements
ISO	A.18.1.1	Identification of applicable legislation and contractual requirements
ISO	A.18.1.3	Protection of records
SOC2	CC3.1	COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
SOC2	CC3.1	COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
SOC2	CC3.1	COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Continuity

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-06-18
  • reviewed: 2022-08-31

Ensure continuity of operational systems during adverse situations

• Use cloud providers for operational systems
  • They have world-leading protections for information security continuity.
  • Delegate responsibility for physical infrastructure to them.
  • Use geographic redundancy where appropriate to reduce the impact of the loss of a data centre.
• Maintain information security protection
  • Protect data during emergencies, even as it is protected during normal operations.
• Evaluate
  • the expected length of the emergency
  • the scale of the emergency
• Ensure customer access to information
  • Restore systems in order of criticality.
  • Re-create operational systems from backups and images as needed.
  • Use alternative data centres and geographic regions as appropriate and as permitted.
• Communicate with affected customers
  • Alert them to the expected length, scale, and actions that will be taken.
  • Update them immediately as systems are restored or re-created.
  • If systems still cannot be accessed for eight hours, update them.
  • Update them daily until the data is restored or is deemed to be permanently lost.
  • Update them if information is permanently lost.

Ensure continuity of employee operations during adverse situations

• Protect employees
  • Prioritize the safety of employees in adverse situations.
  • In a dangerous emergency, evacuating personnel has priority over preserving information assets.
  • Follow standard emergency procedures and notify authorities as necessary.
• Restore availability
  • Notify other employees of the situation and emergency protocols.
  • Travel and transport essential equipment to a location that is not affected.
  • Replace essential equipment as necessary.
  • Re-establish connections with the internet in order to resume technical activities.
• Continue business operations
  • Enable continuation of critical business processes for the protection of information.
  • Notify third parties, such as insurance carriers and damage restoration suppliers.
  • Acquire alternative facilities if necessary.
• Roles and responsibilities
  • CTO
    • Information and communications technology
    • Physical Security
    • Utilities
  • CEO
    • Mail and couriers
    • Contact with customers
    • Transportation
    • Business records
    • Legal issues
    • Supplier and partner relations
    • Media relations

Activate Emergency Mode

• during prolonged adverse conditions
  • after eight hours of
    • non-availability of employee facilities
    • non-availability of cloud infrastructure
  • due to
    • electrical power failure
    • earthquake, fire, flood, storm or other natural disaster
    • sabotage, terrorism, vandalism
    • any other adverse condition

Code	Section	Title
HIPAA	164.308(a)(7)(ii)(C)	Emergency mode operation plan (Required)

Treat systems in order of criticality

• Restore in order of customer criticality
  • Follow documented criticality.
  • Reprioritize in case of customers who have communicated an emergency with immediate health consequences.
• Restore in order of system criticality
  • 1: customer access to backups
  • 2: production systems
  • 3: staging systems
  • 4: development systems

Train, test and revise continuity plans

• Train employees in disaster preparation and recovery, and knowledge of responsibilities in the event of a disaster.
• Periodically test, and revise as necessary, all emergency preparedness plans, including emergency and contingency plans.

Code	Section	Title
ISO	A.17.1.3	Verify, review and evaluate information security continuity
HIPAA	164.308(a)(7)(ii)(D)	Testing and revision procedures (Addressable)
SOC2	A1.3	The entity tests recovery plan procedures supporting system recovery to meet its objectives.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.17.1	Information security continuity
ISO	A.17.1.1	Planning information security continuity
ISO	A.17.1.2	Implementing information security continuity
CHI	SR86	Testing Business Continuity Plans
HIPAA	164.308(a)(7)(i)	Standard: Contingency plan
HIPAA	164.312(a)(2)(ii)	Emergency access procedure (Required)
SOC2	CC7.5	The entity identifies, develops, and implements activities to recover from identified security incidents.
SOC2	A1.2	The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.

Cryptography

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-08-05
  • reviewed: 2022-08-31

Use the best reasonably available cipher strength and key length

• AES-256 cipher
• 2048-bit keys

Use current standard open-source and vendor cryptographic methods and implementations

• Follow independent expert guidance from standards organizations and academia.
• Update protocols and configurations when older versions are found to be insecure.

Code	Section	Title
OWASP	Cryptographic Storage Cheat Sheet	Algorithms
OWASP	Cryptographic Storage Cheat Sheet	Custom Algorithms

Encrypt all data at rest

• Encrypt data at rest using
  • For devices: the official vendor or standard open-source method (e.g. FileVault, dm-crypt and LUKS)
  • For infrastructure: a method provided by the cloud provider (e.g; full disk encryption, server-side encryption, storage encryption)

Encrypt all data in transit

• Encrypt data during transmission over all networks (public and private)
• Encrypt HTTPS/TLS connections using strong cryptography as defined by PCI DSS

Code	Section	Title
PCI-DSS	Requirement 4	Encrypt transmission of cardholder data across open, public networks
HIPAA	164.312(e)(1)	Standard: Transmission security
HIPAA	164.312(e)(2)(i)	Integrity controls (Addressable)
HIPAA	164.312(e)(2)(ii)	Encryption (Addressable)

Manage cryptographic keys

• Automate the entire key lifecycle
  • Centrally manage the distribution of keys.
  • Automate generating, storing, archiving, retrieving, distributing, retiring and destroying keys.
• Protect keys
  • against modification or loss
  • for private keys, against unauthorized use and disclosure
• Rotate keys when
  • a suspected breach occurs
  • an entity with access to the key must have its access removed

Code	Section	Title
ISO	A.10.1.2	Key management
SOC2	CC6.1	The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.

Use certificates to authenticate keys

• Protect endpoints with certificates.
• Use commonly accepted and independently trusted signing authorities for all public endpoint certificates.

Legal compliance

• Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.

Code	Section	Title
ISO	A.18.1.5	Regulation of cryptographic controls

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.10.1	Cryptographic controls
ISO	A.10.1.1	Policy on the use of cryptographic controls
HIPAA	164.312(a)(2)(iv)	Encryption and decryption (Addressable)
SOC2	CC6.1	The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.

Definitions

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-08-05
  • reviewed: 2022-08-31

Applicability

• Standard
  • People: This policy applies to all of our employees, contractors and agents who have access to PHI or who work in proximity to media or devices containing PHI.
  • Customer: This policy applies to all customer organizations and their respective agents who may have access to, and use, our information system assets.
  • Assets: This policy applies to all of our information system assets including PHI, system administration and security data, hardware, software, communications networks and facilities.
  • Activities: This policy applies to all activities associated with the operation of our information systems and our business operations.

BA

• summary: Business Associate
• Refer to
  • HIPAA
  • Business associates

Backup System

• summary: An automated system developed by us that backs up the database and data on each server.

Breach

• summary: Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.
• Refer to: HIPAA 164.402

Cloud Provider

• summary: A major public cloud infrastructure provider, such as Amazon Web Services or Microsoft Azure.

Customer

• summary: Our direct customer, which could be a Covered Entity, a Business Associate, a Health Information Custodian, or otherwise depending on regulatory framework.

EHRi

• summary: Electronic Health Record Infostructure
• Refer to: CHI

Employee

• Same as Workforce Member

HIPAA

• summary: Health Insurance Portability and Accountability Act of 1996, including those requirements and standards amended by the HITECH Act, the HIPAA “Omnibus” Final Rule.
• Refer to: HIPAA

ISMP

• Information Security Management Program

Maturity level (in _metadata)

• summary: Maturity level for each policy
• Refer to: NICE Cybersecurity Workforce Planning CMM definition (page iii) https://niccs.us-cert.gov/sites/default/files/Capability%20Maturity%20Model%20White%20Paper.pdf?trackDocs=Capability%20Maturity%20Model%20White%20Paper.pdf
• details
  • 1. Limited: Limited is the most basic level, portraying a key activity area or segment of an organization’s cybersecurity workforce planning capability that is in its infancy. This level of capability is at its start of development and may be represented by an organization having limited establishment of processes, lacking clear guidance, or having little in terms of data and analysis methods.
  • 2. Progressing: The progressing level describes a key activity area of some aspect of cybersecurity workforce planning which an organization has started to perform, commonly represented by an organization establishing some infrastructure to support workforce planning efforts.
  • 3. Optimizing: Optimizing, depicts a key activity area or segment of cybersecurity workforce planning capability that has fully developed, such as one that is integrated with other business processes and can support different levels of workforce and workload analysis, the results of which drive short- and long-term decision making for the cybersecurity workforce.

Media

• Media includes
  • disks (such as HDDs and SSDs)
  • removable media (such as SD cards, memory sticks and CD-ROMs)

Mobile devices

• All portable digital devices, such as phones, tablets and laptops.

Operational systems

• All systems and services that are serving data to the internet or to other internet-connected systems, or are managing those systems. Includes servers. Does not include employee workstations.

Password

• This term also includes passphrases and secret access keys (such as SSH keys).

PCI DSS

• Payment Card Industry Data Security Standard

PHI

• summary
  • Individually identifiable health information
  • Protected Health Information
  • Personal Health Information

Code	Section	Title
HIPAA	160.103 Definitions	Individually identifiable health information

PII

• summary
  • Personally Identifiable Information
  • also referred to as Personal Data

Code	Section	Title
U.S. Code of Federal Regulations	2 CFR § 200.79	Personally Identifiable Information (PII)
NIST	Special Publication 800-122	Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
GDPR	Article 4(1)	personal data
PIPEDA	2(1)	personal information

PoS

• summary: Point of Service
• Refer to: CHI

Secret Key

• a password, passphrase, or randomly-generated secret.

Server

• Usually a Linux Virtual Machine.

SLA

• Service Level Agreement.

Telework

• Telecommuting or working remotely in a non-owned-office environment, such as
  • home
  • third-party office (such as a co-working space)
  • public environment (such as a coffee shop)
  • while travelling

Unsecured protected health information

• summary: Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5.
• Refer to: HIPAA 164.402

Vendor

• Service provider to us, which could be a Business Associate or otherwise depending on regulatory framework.

Employees

• Employees, volunteers, trainees, and may also include other persons whose conduct is under our direct control (whether or not they are paid by us).

References

Code	Section	Title
HIPAA	160.103	Definitions

Disciplinary process

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-06-18
  • reviewed: 2022-08-31

Appropriate, fair and consistent sanctions can

• have a deterrent influence on workforce transgressions
• help prevent breaches of PHI
• help prevent, or reduce the severity, of compliance violations

Apply appropriate sanctions

• for significant failures to follow established policies and procedures, or commit various offenses.
• based on the nature and severity of the error or offense
• use an escalating scale of sanctions based on the highest category level of risk
• less severe sanctions applied to less severe errors and offenses
• more severe sanctions applied to more severe errors and offenses
• regardless of the employee’s position in the company

Determine sanction severity based on the following factors

• Exposure: How much external exposure to sanctions for the organization
• Number involved: How many systems, how much data, how many patients affected, etc.
• Purpose: Ignorance or lack of education; Snooping or curiosity; Malice, sale, or personal gain
• Special Protection: Does the incident involve elements with special protection under the law.

Apply sanctions in increasing order of severity

• Disciplinary process
• Made an example of
• Probation
• Suspension without pay
• Termination
• Notify appropriate law enforcement authorities for offenses involving obvious illegal activity.

Do not apply sanctions

• For investigations of disclosures by whistleblowers or victims of a crime
• For disclosures of information to an authority as required by law
• To retaliate in case of permitted investigations and disclosures

Immediate termination is justified for

• theft of company resources
• intentional lying or deception
• drug or alcohol abuse while on the job
• violence against persons or property

Incidents involving customers or suppliers

• If the incident poses a threat
  • Limit the access of those involved to protect sensitive assets.
• Customers
  • Report the incident to the customer organization.
• Vendors
  • Pursue remedies defined by the contract with the supplier.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.7.2.3	Disciplinary process
HIPAA	164.308(a)(1)(ii)(C)	Sanction policy (Required)
SOC2	CC1.1	COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.
SOC2	CC1.5	COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
SOC2	CC1.5	COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Documentation

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-11-23
  • reviewed: 2022-08-31
• Applicability: standard

Policies and procedures

• Create
  • Create appropriate policies and procedures as required by law and as suggested by good business practices and general business ethics.
  • Engage third-party experts to guide and review.
• Update
  • annually
  • in response to environmental or operation changes affecting the privacy or security of information
  • as required by law
• Model on and make consistent with
  • ISO 27001
  • applicable HIPAA Rules and Regulations
  • applicable US State laws and statutes
  • Canadian legislation (such as PHIPA in Ontario)
• Distribution and storage
  • Make all policies and procedures easily available to all employees.
  • Require and train all employees to read, understand, and comply with all policies and procedures.
  • Do not hold employees accountable for compliance unless they have been given access to the policies and procedures.

Code	Section	Title
ISO	A.5.1.1	Policies for information security
ISO	A.5.1.2	Review of the policies for information security
HIPAA	164.316(a)	Standard: Policies and procedures
HIPAA	164.316(b)(2)(ii)	Updates (Required)
SOC2	CC1.4	COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
SOC2	CC5.3	COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.
SOC2	CC5.3	COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.

Documentation

• Document activities governed by these policies.
• Make documentation available to those employees who have a legitimate need for it, and who are authorized to access it.
• Securely maintain and store all documentation.

Code	Section	Title
HIPAA	164.316(b)(1)	Standard: Documentation
HIPAA	164.316(b)(2)(ii)	Availability (Required)

Retain compliance documentation

• Retain for six years
  • from the date of creation, or
  • from the date it was last in effect,
  • whichever is later.
• This retention requirement does not apply to
  • medical records
• Retain the following documentation
  • risk analyses and related notes and research materials
  • requests, complaints, and their disposition
  • contracts, along with amendments, renewals, revisions, and terminations
  • the names and titles of officers under these policies and procedures
  • training provided (i.e., topics, dates, and, ideally, participants)
  • sanctions imposed against non-complying work force members
  • signed authorizations and revocations

Code	Section	Title
HIPAA	164.316(b)(2)(i)	Time limit (Required)

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.5	Information security policies
ISO	A.5.1	Management direction for information security

Human resource security

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-08-05
  • reviewed: 2022-08-31

Screen employees prior to hiring

• Responsible party: Hiring manager
• Clearance
  • Check three professional references
  • Perform a criminal record check
  • Document into a clearance file
• Purpose
  • Ensure that persons with serious criminal records or histories of financial or legal difficulties do not have inappropriate access to PHI.

Code	Section	Title
ISO	A.7.1.1	Screening
HIPAA	164.308(a)(3)(ii)(B)	Workforce clearance procedure (Addressable)
CHI	SR13	Verifying the identity of users
SOC2	CC1.4	COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

Workforce contracts

• Include language in workforce contracts regarding
  • responsibilities for information security
  • that they are responsible for following these policies and procedures
  • termination of access and return of assets

Code	Section	Title
ISO	A.7.1.2	Terms and conditions of employment
CHI	SR11	Addressing user responsiblities in job descriptions
CHI	SR12	Addressing user responsibillities in Terms of Employment
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

Authorize minimum necessary access to PHI

• Authorize the appropriate level of access to PHI to all members of the workforce.
• Base authorization on the nature and duties of the employee’s job.
• Immediately modify authorization when the nature of their job changes and requires a different level of access, whether greater or lesser.

Code	Section	Title
HIPAA	164.308(a)(3)(ii)(A)	Authorization and/or supervision (Addressable)

Terminate employee authorization

• when their employment relationship with our organization ends
• when the employee has been sanctioned, as appropriate
• immediately (with no more than one hour delay) upon the occurrence of a triggering event

Code	Section	Title
ISO	A.7.3.1	Termination or change of employment responsibilities
HIPAA	164.308(a)(3)(ii)(C)	Termination procedures (Addressable)

Upon termination, require return of all physical assets

Code	Section	Title
ISO	A.8.1.4	Return of assets

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.7	Human resource security
ISO	A.7.1	Prior to employment
ISO	A.7.3	Termination and change of employment
HIPAA	164.308(a)(3)	Standard: Workforce security
SOC2	CC2.3	COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2	CC9.2	The entity assesses and manages risks associated with vendors and business partners.

Information classification

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-06-18
  • reviewed: 2022-08-31

Document customer criticality

• Evaluate the criticality of each system
  • Rank each customer based on the negative impact on their users if an emergency occurs.
  • Rank each system based on its criticality to the customer (e.g. production, staging, test or development).
• Document the criticality of each system.
• Update the criticality of a system when the customer makes significant changes to their operations.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.8.2	Information classification
ISO	A.8.2.1	Classification of information
ISO	A.8.2.2	Labelling of information
ISO	A.8.2.3	Handling of assets
HIPAA	164.308(a)(7)(ii)(E)	Contingency plan
SOC2	CC3.2	COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
SOC2	P6.7	The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy.
SOC2	C1.1	The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.

Information privacy

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-06-18
  • reviewed: 2022-08-31
• Applicability: standard

General

• Comply with all privacy and data protection laws, regulations, and rules in each jurisdiction where we conduct business.
• The Privacy Official is the Chief Technology Officer (CTO).
• Commit to respecting the privacy rights of individuals and to the protection of their personal health information.

We do not directly collect, use or disclose PHI

• We provide technical services for companies who provide services to individuals, Health Information Custodians (HICs) or Covered Entities (CEs)
  • HIPAA: We serve Business Associates
  • PHIPA: We serve Electronic Service Providers or Health Information Network Providers
• We rely on our customer to manage the following aspect of PHI
  • consent and consent directives
  • collection and limitation of collection
  • use, disclosure and retention
  • accuracy
• If a request, complaint, or issue regarding patient rights, use or disclosure of PHI, accuracy or privacy occurs
  • Inform the requester that we do not manage this directly.
  • Direct the requester to the relevant customer.
  • Document the request and the action taken.

Code	Section	Title
HIPAA	45 CFR Subpart D (§§ 164.400 - 164.414)	Notification in the Case of Breach of Unsecured Protected Health Information
HIPAA	45 CFR Subpart E (§§ 164.500 - 164.534)	Privacy of Individually Identifiable Health Information

Access customer content only to maintain or provide our services

• Avoid accessing PHI directly.
• Access customer source code for purposes such as customer service and operational maintenance.

Safeguard privacy

• Apply appropriate physical, administrative and technical safeguards to protect PHI against loss or theft, or from unauthorized access, disclosure, copying, use, disposal or modification.

Publish a Privacy Notice

• Publish a Privacy Notice on our website and in our applications, that provides specific information about our policies and practices relating to our handling of PHI.

Inquiries, complaints, and disputes from data subjects

• Refer requests to our customers
  • Refer requests by individuals for access to their PHI, or correction of their PHI, that is stored in our systems, to our customer who manages that individual’s data.
  • Implement functionality in our systems and associated business processes to enable our customers to provide individuals with access to their PHI and to make corrections or amendments to the records.
• Handle compliance challenges
  • An individual shall be able to challenge our compliance.
  • Challenges must be submitted in writing to the Chief Compliance Officer.

Implement an Information Privacy Program

• Provide privacy and security training for our employees and contractors.
• Have a signed a confidentiality agreement with all of our employees and contractors.
• Implement a process to receive, investigate and resolve questions or complaints from individuals, substitute decision makers and the public.
• Implement a program to monitor and audit access to records of PHI to detect privacy breaches.
• Investigate privacy breaches and make recommendations for corrective action to avoid similar breaches in the future.
• Ensure that agreements or contracts with third parties who require access to PHI, contain provisions to adequately protect PHI.

Verify compliance

• Verify compliance to this policy through various methods, including but not limited to
  • business tool reports
  • internal and external audits
  • and feedback to the policy owner

Enforcement

• Responsible party: All managers and supervisors

References

Code	Section	Title
ISO	A.18.1.4	Privacy and protection of personally identifiable information
CHI	PR1	Accountable Person
CHI	PR3	Privacy Policy
Canadian Standards Association (CSA) Model Code for the Protection of Personal Information
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2	P1.1	The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy.
SOC2	P1.1	The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy.
SOC2	P2.1	The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented.
SOC2	P2.1	The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented.
SOC2	P3.1	Personal information is collected consistent with the entity’s objectives related to privacy.
SOC2	P3.2	For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent for the request for personal information, and obtains the consent prior to the collection of the information to meet the entity’s objectives related to privacy.
SOC2	P4.1	The entity limits the use of personal information to the purposes identified in the entity’s objectives related to privacy.
SOC2	P4.2	The entity retains personal information consistent with the entity’s objectives related to privacy.
SOC2	P4.2	The entity retains personal information consistent with the entity’s objectives related to privacy.
SOC2	P5.1	The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity’s objectives related to privacy.
SOC2	P5.2	The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy. If a request for correction is denied, data subjects are informed of the denial and reason for such denial to meet the entity’s objectives related to privacy.
SOC2	P6.1	The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy.
SOC2	P6.4	The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary.
SOC2	P8.1	The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner.
SOC2	P8.1	The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner.

Information security

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-06-18
  • reviewed: 2022-08-31
• Applicability: standard

Guide ourselves using an Information Security Management Program based on ISO/IEC 27002:2013

• The purpose of the ISMP is to
  • to develop and deploy our Information Security Management Program
  • to implement security controls as required based on an assessment of security risk
  • to mitigate risks
  • to have a safe and secure working environment
  • to protect ourselves and our customers from liability and damage
• The ISMP is for everyone
  • leadership
  • employees
  • contractors

Meet our responsibilities for protecting data

• Comply with and be aware of all applicable privacy or data protection rules and regulations
  • all laws and associated regulations or rules
  • in all jurisdictions where we conduct business
• Specifically comply with
  • HIPAA (USA)
  • PIPEDA (Canada)
  • Canadian provincial regulations
  • GDPR (Europe)
• Maintain awareness of current and relevant security and privacy laws as they change.

Protect and secure all of our information system assets

• Information system assets include
  • computers
  • mobile devices
  • networking equipment
  • software
  • data (including PHI)
• Information protection categories includes
  • privacy
  • confidentiality
  • availability
  • integrity

Align the ISMP with our goals and processes

• make it compatible with our strategic direction
• integrate it into our processes
• ensure that the resources needed are available

Continuously improve our policies

• respond to feedback
• review whether they meet their intended goals
• update them as appropriate

Verify compliance to this policy

• Use various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
  • Implement automated regular information system activity reviews
    • audit logs
    • access reports
    • security incident tracking reports

Report problems

• If you detect a problem, report it immediately and include
  • narrative of the problem
  • how long the problem has existed
  • suggested solutions
• If a problem is reported
  • Do not take action against the employee who reported the problem.
  • Document the problem.
  • Assess the problem’s severity.
  • Implement mitigations and solutions as appropriate.
• Priority problems
  • include network security and data integrity problems
  • should be reported directly to the CPSO in addition to normal reporting channels
  • should be acted on immediately

Exceptions

• Any exception to this policy must be approved by the Security Officer in advance.

Enforcement

• Responsible party: All managers and supervisors

Non-compliance

• employees: Any violation of this Information Security policy by an employee is subject to disciplinary sanctions, up to and including dismissal.
• customers: Any violation of this policy by an employee or agent of a customer organization will be reported to the customer organization and handled in accordance with the customer organization’s sanctions policy. Where the violation poses a threat to us or other customers, we may take appropriate action to protect PHI and other sensitive assets. This could include suspension of access privileges for individuals who violate this policy.
• vendors: Any violation of this Information Security policy by a supplier, vendor or contractor or their respective employees and agents, is subject to remedies identified in the agreement or contract. We may request the removal of a supplier, vendor or contractor employee who has violated this Information Security policy.

References

Code	Section	Title
ISO	A.6	Organization of information security
ISO	A.6.1	Internal organization
ISO	A.6.1.1	Information security roles and responsibilities
ISO	A.6.1.2	Segregation of duties
ISO	A.6.1.5	Information security in project management
CHI	SR2	Security Policy
CHI	SR3	Information security management, coordination and allocation of responsibilities
SOC2	CC1.3	COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
SOC2	CC1.3	COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
SOC2	CC1.4	COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
SOC2	CC1.5	COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
SOC2	CC5.1	COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
SOC2	CC6.3	The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.

Information security incidents

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-06-18
  • reviewed: 2022-08-31

Use automated systems to detect, log, and alert on suspicious activity

• Intrusion Detection System (IDS)
  • Install and run IDS on all systems.
  • Automatically alert staff when highly suspicious events are detected.
• Security Information and Event Management (SIEM)
  • Operate a SIEM covering all systems.
  • Centrally log information-security related events.
  • Provide a facility for staff to search and analyze logs.
• Incident Response (IR)
  • Use an Incident Response system to automatically alert and manage the staff response to incidents.

Immediately respond upon detection

• Notify management and employees
  • Inform the CPSO and other management of the incident.
  • Notify additional employees if needed to assist with incident response.
• Classify the incident
  • Identify and classify the severity of the incident.
  • Determine the actual risk to PHI and to the subject(s) of the PHI.
• Mitigate harmful effects
  • Disable systems (if appropriate) to prevent the incident from continuing.
  • Repair, patch, or otherwise correct the condition or error that created the incident.
  • Retrieve or limit the dissemination of PHI, if possible.
• Collect evidence
  • Preserve information about the incident which can serve as evidence.

Code	Section	Title
ISO	A.16.1.1	Responsibilities and procedures
ISO	A.16.1.2	Reporting information security events
ISO	A.16.1.4	Assessment of and decision on information security events
ISO	A.16.1.5	Response to information security incidents
ISO	A.16.1.7	Collection of evidence
SOC2	CC7.3	The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
SOC2	CC7.4	The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
SOC2	CC7.4	The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC7.2	The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
SOC2	CC7.3	The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
SOC2	P6.5	The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s objectives related to privacy.
SOC2	P6.6	The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy.
SOC2	CC7.3	The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
SOC2	CC7.3	The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
SOC2	CC7.4	The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
SOC2	CC7.5	The entity identifies, develops, and implements activities to recover from identified security incidents.
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC7.4	The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
SOC2	CC7.4	The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
SOC2	CC7.5	The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.

Notify the appropriate parties when any breach of PII or PHI occurs

• A breach is treated as discovered by us
  • the first day on which such breach is known or should reasonably have been known
  • to any employee or agent of ours, other than the person who committed the breach.
• Notify customers and the appropriate legal authorities in a timely manner
  • within 72 hours
• Delay notification to customers under certain circumstances
  • if required by a legal authority
  • if notifying will increase the risk to other customers
• Include details that are available in the notification
  • a brief description of what happened
  • a description of the types of data involved
  • a brief description of the actions taken in response to the breach
  • contact procedures for the customer to ask questions and obtain further information

Code	Section	Title
ISO	A.6.1.3	Contact with authorities
HIPAA	164.41	Notification by a business associate
HIPAA	164.412	Law enforcement delay
GDPR	Article 33	Notification of a personal data breach to the supervisory authority
SOC2	CC1.3	COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

Analyse and document

• Research and analyse the incident to understand what occurred.
• Improve system security if appropriate based on the results of the analysis.
  • If needed, create reports
    • to share internally, to improve our information security
    • to share with the customer, to inform them of what occurred
• Update training and awareness programs for employees if appropriate.

Code	Section	Title
ISO	A.16.1.6	Learning from information security incidents
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC7.5	The entity identifies, develops, and implements activities to recover from identified security incidents.

Require notifications from suppliers

• Require our suppliers to report all breaches, losses, or compromises of PHI, whether secured or unsecured.
• Require notification promptly, and at least within the legally required timeline.
• Include breach notification requirements in supplier contracts.

Report weaknesses

• Report security weaknesses that are observed or suspected.

Code	Section	Title
ISO	A.16.1.3	Reporting information security weaknesses
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC2.3	COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
SOC2	CC4.2	COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
SOC2	CC7.2	The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
SOC2	CC7.3	The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.16.1	Management of information security incidents and improvements
CHI	SR83	Reporting Security Incidents Involving the EHRi
CHI	SR84	Responding to Security Incidents Involving the EHRi
HIPAA	164.308(a)(6)(i)	Standard: Security incident procedures
HIPAA	164.308(a)(6)(ii)	Response and reporting (Required)

Information transfer

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2020-07-29
  • revised: 2020-07-29
  • reviewed: 2022-08-31

Document information transfer security in agreements

• We do not directly transfer PHI to third parties.

Code	Section	Title
ISO	A.13.2.2	Agreements on information transfer

Cryptographically secure and sign communications

• Use encryption to protect all communications, including
  • electronic messaging
  • remote conferencing
  • interactions with internet-based software applications

Code	Section	Title
ISO	A.13.2.3	Electronic messaging
SOC2	CC6.7	The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.

Document non-disclosure requirements in agreements

Code	Section	Title
ISO	A.13.2.4	Confidentiality or non-disclosure agreements

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.13.2	Information transfer
ISO	A.13.2.1	Information transfer policies and procedures
SOC2	CC6.7	The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.

Logging and monitoring

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-08-05
  • reviewed: 2022-08-31
• Applicability: standard

Log events automatically on all operational systems

• admin activity
• user activity
• exceptions
• faults
• information security events
• remote access, logins and logouts
• privilege escalation (such as sudo and su)
• actions that require administrator access
• changes to accounts (such as passwords)
• changes to system settings

Code	Section	Title
ISO	A.12.4.1	Event logging
ISO	A.12.4.3	Administrator and operator logs
HIPAA	164.308(a)(5)(ii)(C)	Log-in monitoring (Addressable)
SOC2	CC7.2	The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

Log service activity on all systems that handle PHI

• Examples of activity to log
  • HTTP activity
  • Database activity

Protect the logs

• Store on a central log server.
• Require administrator access to view logs at a customer level.
• Require superadmin access to view all logs.
• Do not permit services that ship logs to modify or delete logs.
• Back up the logs.

Code	Section	Title
ISO	A.12.4.2	Protection of log information

Retain logs until whichever comes first

• For information security logs
  • for at least six months
  • longer if they are needed for an active investigation
• For non-information security logs
  • An appropriate time
  • until the affected customer is no longer under contract

Code	Section	Title
NIST	Special Publication 800-92	Guide to Computer Security Log Management

Synchronize the clocks of servers

• using ntp

Code	Section	Title
ISO	A.12.4.4	Clock synchronisation

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.12.4	Logging and monitoring
HIPAA	164.308(a)(1)(ii)(D)	Information system activity review (Required)
HIPAA	164.312(b)	Standard: Audit controls
OWASP		Logging Cheat Sheet
NIST	Special Publication 800-92	Guide to Computer Security Log Management

Malware protection

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-08-05
  • reviewed: 2022-08-31

Do not require server-level malware protection on Linux servers

• Linux servers do not require operating-system level anti-malware software
• File upload software should implement malware scanning.

Code	Section	Title
SANS	Server Malware Protection Policy	Policy

Run malware protection on workstations

• Mac OS
  • Periodically run appropriate anti-malware software (e.g. Malwarebytes).
• Linux
  • Use appropriate anti-malware software.
• Windows
  • Use (preferably multiple) industry standard anti-malware software.
• Updates
  • Keep malware software and definitions up to date using automatic updating.
• Mobile code
  • Use malware protection software to automatically control mobile code (e.g. javascript, Word macros).

Code	Section	Title
ISO	A.12.2.1	Controls against malware
NIST	SC-18	Mobile Code
SOC2	CC6.8	The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.

When malware is detected

• Quarantined the affected workstation.
• Correct the infection using anti-malware software.
• Report and document the incident.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.12.2	Protection from malware
HIPAA	164.308(a)(5)(ii)(B)	Protection from malicious software (Addressable)
CHI	SR28	Protecting Against Malware

Media handling

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-08-05
  • reviewed: 2022-08-31
• Applicability: standard

Erase or destroy media containing PHI prior to disposal or re-use to prevent data from being recovered

• For operational systems, rely on cloud providers to erase and destroy media.
  • For media on workstations and mobile devices
    • For encrypted media, destroy the encryption key or erase the drive using the standard system.
    • For unencrypted HDD media, erase the disk using a standard secure disk erasure system.
    • For unencrypted media of other types, securely destroy the media.

Code	Section	Title
ISO	A.8.3.1	Management of removable media
ISO	A.8.3.2	Disposal of media
CHI	SR34	Disposing of Media Containing PHI
HIPAA	164.310(d)(2)(i)	Disposal (Required)
HIPAA	164.310(d)(2)(ii)	Media re-use (Required)
SOC2	CC6.5	The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
SOC2	CC6.5	The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
SOC2	CC6.7	The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.

Don’t put sensitive data on removable media

Code	Section	Title
ISO	A.8.3.3	Physical media transfer
CHI	SR33	Protecting PHI on Portable Media
CHI	SR35	Protecting Data Storage
CHI	SR36	Protecting Storage of Unencrypted PHI in the EHRi
SOC2	CC6.7	The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.8.3	Media handling
ISO	A.11.2.7	Secure disposal or re-use of equipment
HIPAA	164.310(d)(1)	Standard: Device and media controls
HIPAA	164.310(d)(2)(iii)	Accountability (Addressable)
SOC2	CC6.5	The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
SOC2	CC6.7	The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.

Mobile devices and teleworking

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-06-18
  • reviewed: 2022-08-31
• Applicability: standard

Be secure while teleworking

• Secure home telework spaces in accordance with Secure Areas policy.
• When entering or displaying sensitive information, protect the keyboard and screen from view by others.
• Use only secure wireless networks.

Code	Section	Title
ISO	A.6.2.2	Teleworking

Mobile devices

• Secure mobile devices
  • in accordance with the Workstation policy
  • both personal and company-owned
  • against theft by carrying or leaving in a safe place
  • against wireless attacks (such as attacks using WiFi, Bluetooth, and NFC)
• Only use mobile devices
  • that can be secured effectively

Code	Section	Title
ISO	A.6.2.1	Mobile device policy
SOC2	CC6.7	The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.6.2	Mobile devices and teleworking
ISO	A.11.2.6	Security of equipment and assets off-premises

Network security management

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-08-05
  • reviewed: 2022-08-31
• Applicability: standard

Manage and control networks

• Establish and implement technical security measures to guard against unauthorized access to electronic PHI that is being transmitted over electronic communications networks.
• Manage and control networks to protect information in systems and applications.

Code	Section	Title
ISO	A.13.1.1	Network controls
SOC2	CC6.6	The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
SOC2	CC6.6	The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

Segregate the networks of each each customer using virtual networks

• Implement network routing controls to restrict data flows of PHI.

Code	Section	Title
ISO	A.13.1.3	Segregation in networks
CHI	SR66	Segregating EHRi Network Users, Services and Systems
CHI	SR67	Controlling Routing on EHRi Networks
SOC2	CC6.1	The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.

Use firewalls on all virtual networks and servers

• Enforce the use of encrypted ports (except to forward non-encrypted traffic to encrypted ports).
• Prevent the use of unauthorized ports.
• Manage the use of unauthorized diagnostic services such as ICMP.

Code	Section	Title
CHI	SR65	Controlling Access to EHRi Network Diagnostics and Network Management Services
SOC2	CC6.6	The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.13.1	Network Security Management
SOC2	CC6.7	The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
SOC2	CC6.7	The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.

Risk management

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-05-05
  • reviewed: 2022-08-31
• Applicability: standard

Perform risk management

• Improve the effectiveness of our policies and procedures.
• Protect our business, our assets, our personnel, and the PHI that we possess.
• Identify, analyze, prioritize, and minimize risks to information privacy, security, integrity, and availability.
• Recommend improvements to reduce risk, and use the recommendations to reduce risk as much as is practicable.

Maintain a continuous cadence of risk management assessments and tests

• Update on a regular schedule
  • Update all assessments annually
• Update when significant changes occur
  • when the internal environment or operations significantly change
  • when the external environment significantly changes

Code	Section	Title
HIPAA	164.308(a)(8)	Standard: Evaluation

Acquire and maintain independent certifications

• HITRUST
  • a private US certification organization that maintains the HITRUST Common Security Framework (CSF)
  • primarily targets the healthcare industry
  • compliance is audited by an independent authorized assessor organization
  • HITRUST verifies the assessment and issues the certification
• SOC 2
  • an auditing standard developed by the American Institute of CPAs (AICPA) consisting of the Trust Services Criteria
  • targets the services industry
  • compliance is audited by an independent authorized assessor organization
  • the assessor then issues a SOC 2 report

Acquire and maintain independent risk assessments

• Threat and Risk Assessment (TRA) and Privacy Impact Assessment (PIA)
  • conducted by an independent expert
  • review technical, administrative and physical safeguards
  • review control objectives, controls, policies, processes, procedures
• Model the assessment on
  • ISO 27005 (Information security risk management) as the primary framework
  • NIST SP 800-30 (Guide for Conducting Risk Assessments) as an additional framework
  • business and information-technology best practices
• Involve the necessary parties, including
  • senior management
  • software development and operations

Code	Section	Title
ISO	8.2	Information security risk assessment

Acquire and maintain independent security tests

• Pen tests
  • Commission third-party penetration tests.
• Network scans
  • Commission third-party network and port scans.

Perform internal reviews and assessments of information security risk

• Review
  • Information processing and procedures, for compliance with the appropriate security policies, standards and any other security requirements
  • Information systems, for compliance with the organization’s information security policies and standards
  • Third party vendors

Code	Section	Title
ISO	A.18.2.2	Compliance with security policies and standards
ISO	A.18.2.3	Technical compliance review
SOC2	CC4.1	COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

Distribute the results of reviews to

• senior management
• software development and operations
• external parties, as appropriate

Code	Section	Title
SOC2	CC4.2	COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Manage and treat risk

• Use the results of risk analyses and assessments
  • Integrate the results into management’s decision-making process.
  • Use the results to guide decisions related to the protection of PHI.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	8.3	Information security risk treatment
ISO	A.18.2	Information security reviews
ISO	A.18.2.1	Independent review of information security
CHI	SR1	Threat and Risk Assessment
CHI	SR4	Independent Review of Security Policy Implementation
HIPAA	164.308(a)(1)(i)	Standard: Security management process
HIPAA	164.308(a)(1)(ii)(A)	Risk analysis (Required)
HIPAA	164.308(a)(1)(ii)(B)	Risk management (Required)
SOC2	CC4.1	COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
SOC2	CC4.1	COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
SOC2	CC4.1	COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
SOC2	P8.1	The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner.

Secure areas

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-06-18
  • reviewed: 2022-08-31
• Applicability: standard

Delegate the physical security of all operational systems, facilities, and equipment to major cloud providers

Code	Section	Title
ISO	A.11.1	Secure areas
ISO	A.11.1.1	Physical security perimeter
ISO	A.11.1.2	Physical entry controls
ISO	A.11.1.3	Securing offices, rooms and facilities
ISO	A.11.1.4	Protecting against external and environmental threats
ISO	A.11.1.5	Working in secure areas
ISO	A.11.1.6	Delivery and loading areas
CHI	SR17	Physically securing EHRi systems
HIPAA	164.310(a)(1)	Standard: Facility access controls
SOC2	CC6.4	The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.
SOC2	CC6.4	The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.

Delegate the physical management and ownership of all operational systems, facilities, and equipment to major cloud providers

• The full lifecycle of all physical assets
• Environment management
• Recovery from physical disasters
• Maintenance

Code	Section	Title
ISO	A.11.2	Equipment
ISO	A.11.2.1	Equipment siting and protection
ISO	A.11.2.2	Supporting utilities
ISO	A.11.2.3	Cabling security
ISO	A.11.2.4	Equipment maintenance
ISO	A.11.2.5	Removal of assets
HIPAA	164.310(a)(2)(i)	Contingency operations (Addressable)
HIPAA	164.310(a)(2)(ii)	Contingency operations
HIPAA	164.310(a)(2)(iii)	Access control and validation procedures (Addressable)
HIPAA	164.310(a)(2)(iv)	Maintenance records
SOC2	A1.2	The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.
SOC2	A1.2	The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Software development and operations

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-06-18
  • reviewed: 2022-08-31

Applicability

• people: This policy applies to all employees, contractors, suppliers and vendors who develop software that interacts with PHI.

To conduct software development and operations

• Perform these activities
  • Define operational procedures and responsibilities
  • Control operational software and authorize changes
  • Acquire, develop, test, document and maintain systems
  • Implement security requirements for information systems
  • Protect data used for testing
• On these entities
  • configurations
  • infrastructure
  • data
  • software

Code	Section	Title
ISO	A.12.1	Operational procedures and responsibilities
ISO	A.12.5	Control of operational software
ISO	A.14	System acquisition, development and maintenance
ISO	A.14.2	Security in development and support processes

Implement all operations activities as software development

• Make all changes to operational systems by
  • modifying source code
  • executing the source code
  • using automated tools
• Use software development methods to
  • test development, staging and operational systems
  • ensure that performance matches expectations
  • document software and processes (where they are not self-documenting)
  • log modifications to the systems

Code	Section	Title
ISO	A.12.1.1	Documented operating procedures
ISO	A.12.1.2	Change management
ISO	A.12.5.1	Installation of software on operational systems
SOC2	CC2.1	COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC2.2	COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2	CC3.4	COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control.
SOC2	CC6.8	The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2	PI1.1	The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.
SOC2	PI1.1	The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.

Make security a key part of software development and operations

• Design and develop systems to be secure
  • Design using Privacy by Design and Security by Design.
  • Develop using security best-practices (e.g. OWASP).
  • Use secure development environments.
  • Avoid unnecessary changes.
  • Design systems to be continuously auditable and testable.
• Scan and test operational systems applications for vulnerabilities
  • Scan operational systems for security flaws.
  • Commission third-party network scans.
  • Commission third-party penetration tests.
• Manage vulnerabilities
  • Document, review and manage vulnerabilities.
  • Monitor security news for new vulnerabilities.

Code	Section	Title
ISO	A.12.6.1	Management of technical vulnerabilities
ISO	A.12.7.1	Information systems audit controls
ISO	A.14.1	Security requirements of information systems
ISO	A.14.1.1	Information security requirements analysis and specification
ISO	A.14.1.2	Securing application services on public networks
ISO	A.14.1.3	Protecting application services transactions
ISO	A.14.2.1	Secure development policy
ISO	A.14.2.4	Restrictions on changes to software packages
ISO	A.14.2.5	Secure system engineering principles
ISO	A.14.2.6	Secure development environment
Privacy by Design
OWASP Security by Design Principles
SOC2	CC6.7	The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
SOC2	CC6.8	The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
SOC2	CC7.1	To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

Control changes to software and systems

• Use a source control system
  • to control changes to software
  • to manage access to source code
• Control and automate the deployment of software to production
  • Peer review new and modified software before deployment to production.
  • Use a continuous deployment system.
• In case of emergency changes outside of the normal process
  • document the changes made
  • incorporate the changes back into the normal process
• Use the principle of least privilege
  • Grant software the minimum necessary access to perform its function.
  • Limit only production engineers to have access to production systems.

Code	Section	Title
ISO	A.14.2.2	System change control procedures

Operate reliable systems with appropriate redundancy and availability

Code	Section	Title
ISO	A.12.1.3	Capacity management
ISO	A.17.2.1	Availability of information processing facilities
SOC2	A1.1	The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
SOC2	A1.2	The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.

Perform testing of software

• Automate testing in a secure manner
  • Implement automated tests of systems.
  • Perform testing primarily on non-production systems.
  • Do not use real data or PHI for testing or demonstrations.
• Test for
  • regressions
  • security flaws
  • acceptance criteria

Code	Section	Title
ISO	A.12.1.4	Separation of development, testing and operational environments
ISO	A.14.2.3	Technical review of applications after operating platform changes
ISO	A.14.2.8	System security testing
ISO	A.14.2.9	System acceptance testing
ISO	A.14.3	Test data
ISO	A.14.3.1	Protection of test data
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

Have PHI only on production systems

• Do not copy PHI to non-production systems
  • only production systems are secured and managed correctly to handle PHI
• If PHI is on a non-production system
  • Evaluate the security of the non-production system (e.g. a secure workstation).
  • Securely delete the data as soon as possible.
  • Report the incident.

Do not outsource software development and operations

• All development and operations is performed by employees or contractors directly managed by employees.

Code	Section	Title
ISO	A.14.2.7	Outsourced development
SOC2	CC2.3	COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.

Respect Intellectual Property Rights and licenses

• Identify and comply with IPR for source code of external origin (including open source software).
• Identify and comply with IPR for software tools (including open source software).

Code	Section	Title
ISO	A.18.1.2	Intellectual property rights
SOC2	CC3.1	COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.9.4.5	Access control to program source code
ISO	A.12.6	Technical vulnerability management
ISO	A.17.2	Redundancies
CHI	SR80	Implementing Software and Upgrades in the EHRi
CHI	SR81	Protecting EHRi Software
CHI	SR82	Managing Known Vulnerabilities
SOC 2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

Suppliers

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-08-05
  • reviewed: 2022-08-31
• Applicability: standard

Ensure suppliers and vendors have appropriate safeguards

• Use only major public cloud service providers to handle PHI
  • Use recognized independent standards to determine the supplier’s security and compliance, such as ISO 27001, SOC2 and HITRUST.
  • Do not provide PHI to any other suppliers.
• Acquire and maintain documentation for the safeguards
  • Sign contracts with suppliers that enforce our compliance requirements.
  • Where HIPAA is applicable, obtain a HIPAA BAA from the supplier.
  • Acquire and retain the supplier’s documentation.
  • Acquire updated documentation annually.
• Review
  • Review updated vendor documentation annually.

Code	Section	Title
ISO	A.15.1.1	Information security policy for supplier relationships
ISO	A.15.1.2	Addressing security within supplier agreements
ISO	A.15.1.3	Information and communication technology supply chain
ISO	A.15.2.1	Monitoring and review of supplier services
SOC2	CC2.3	COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
SOC2	CC2.3	COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
SOC2	CC3.2	COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
SOC2	CC3.2	COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
SOC2	CC3.2	COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
SOC2	CC4.2	COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
SOC2	CC9.2	The entity assesses and manages risks associated with vendors and business partners.
SOC2	CC9.2	The entity assesses and manages risks associated with vendors and business partners.
SOC2	CC9.2	The entity assesses and manages risks associated with vendors and business partners.
SOC2	CC9.2	The entity assesses and manages risks associated with vendors and business partners.
SOC2	CC9.2	The entity assesses and manages risks associated with vendors and business partners.
SOC2	CC9.2	The entity assesses and manages risks associated with vendors and business partners.
SOC2	P6.5	The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s objectives related to privacy.

Document security mechanisms, SLAs and management information in agreements

• with our vendors
• with our customers

Code	Section	Title
ISO	A.13.1.2	Security of network services

Business Associate suppliers

• US law (HIPAA) requires a chain of Business Associate relationships.
• A Business Associate is a person or entity to whom a we delegate a function, activity, or service involving PHI, and who is not our employee.
• Sign Business Associate Agreement (BAA) contracts that meet all of the requirements and standards of HIPAA, State law, and our policies and procedures.
• Subcontractors of Business Associates are Business Associates themselves.
  • Business Associates include the following if they handle PHI
    • Sub-contractors
    • Patient safety organizations
    • Health Information Organizations (HIOs) (and similar organizations such as Health Information Exchanges (HIEs) and regional health information organizations)
    • E-prescribing gateways
    • Personal Health Record (PHR) vendors that provide services on behalf of a covered entity
    • Other firms or persons who “facilitate data transmission” that requires routine access to PHI

Code	Section	Title
HIPAA	164.308(b)	Business associate contracts and other arrangements
HIPAA	164.314(a)	Standard: Business associate contracts or other arrangements

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.15.1	Information security in supplier relationships
ISO	A.15.2	Supplier service delivery management
ISO	A.15.2.2	Managing changes to supplier services
CHI	PR2	Third-Party Agreements
CHI	SR6	Addressing security in third-party agreements
SOC2	CC2.3	COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2	CC9.2	The entity assesses and manages risks associated with vendors and business partners.
SOC2	P1.1	The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy.
SOC2	P2.1	The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented.
SOC2	P6.1	The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy.
SOC2	P6.4	The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary.

Workstation

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-08-05
  • reviewed: 2022-08-31
• Applicability: standard

Automatically manage workstation computers using Mobile Device Management (MDM) software

• Require and enforce device protections
  • full-disk encryption of data on all devices (such as phones and laptops)
  • strong authentication
  • automatic screen lock for unattended devices
  • software and firmware updates from the vendor
  • remote wipe

Protect information from unauthorized view

• Papers and removable media
  • store out of site when they are unattended
• When working in a public environment such as a coffee shop
  • Shield the screen and keyboard from view when entering or viewing secrets.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.11.2.8	Unattended user equipment
ISO	A.11.2.9	Clear desk and clear screen policy
HIPAA	164.310(b)	Standard: Workstation use
HIPAA	164.310(c)	Standard: Workstation security
SOC2	CC6.4	The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.
SOC2	CC6.5	The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
SOC2	CC6.5	The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
SOC2	A1.2	The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.

August 30, 2022

Powered by